Filter expression language

Written by

Yandex Cloud

Updated at October 17, 2024

How to set a filter
Filter parameters
- Parameter value requirements
- Searching for occurrences
Comparison operators
Filters with multiple conditions
Computation order

You can filter log group records using the filter expression language. With the filter expression language, you can:

Search for records by one or multiple parameter values.
Use the comparison operators and logical operators in filters.

How to set a filter

Management console

CLI

API

In the management console, select the folder containing your log group.
Select Cloud Logging.
Go to the Groups tab.
Click the row with the log group you want to filter.
Go to the Logs tab.
Set a filter and press Enter.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To set a filter using the filter expression language, run the command:

yc logging read --group-name=default --filter="<filter>"

Note

You can filter records using the --filter and other flags of the yc logging read command at the same time. This combines the conditions with the AND operator. For example, you can set a filter using the --resource-types flag and the level parameter of the --filter flag:

yc logging read --group-name=default --resource-types=serverless.function --filter="level=INFO"

This filter will output records with the INFO logging level sent in the previous hour by Cloud Functions functions.

You can set a filter using the LogReadingService/Read gRPC API call.

Examples of filters

Records whose messages contain warning or error dialing endpoint:
message: warning "error dialing endpoint"
Records created after June 8, 2023:
timestamp > "2023-06-08T00:00:00Z"
Records whose logging level is higher than or equal to INFO:
level >= INFO

Filter parameters

Parameter	Filter format	Description	Sample filter
`message`	`parameter: "value"`	Search for records whose messages have values specified. The `message` is the default parameter, so you can omit it in the request.	`"Hello world!" Error Exception`
`resource_type`	`parameter: "value"` `parameter <comparison operator> "value"`	Search for records sent by resources of the specified type, such as functions.	`resource_type = "serverless.function"`
`resource_id`	`parameter: "value"` `parameter <comparison operator> "value"`	Search for records sent by a service with the specified ID.	`resource_id: "d4e155orh3nu********"`
`json_payload`	`parameter: "value"`	Search for records with `json_payload` set to certain values. The search is done by text.	`json_payload: "error"`
`json_payload.<element>`	`parameter: "value"` `parameter <comparison operator> "value"`	Search for records by `json_payload` elements. If the filter uses a comparison operator, the element can be a string, a number, or a Boolean value; otherwise, it can only be a string. You can omit the `json_payload` prefix if the tree root element does not match any of the parameters. Check if `json_payload` contains a certain element using the `EXISTS` operator, e.g., `json_payload.result EXISTS`. This filter outputs records whose `json_payload` contains the `result` element.	`json_payload.flag = FALSE`
`timestamp`	`parameter <comparison operator> "value"`	Search for records created within the specified interval.	`timestamp >= "2023-06-08T00:00:00Z"`
`ingested_at`	`parameter <comparison operator> "value"`	Search for records delivered to the Cloud Logging system within the specified interval.	`ingested_at = "2023-06-22T05:15:03Z"`
`saved_at`	`parameter <comparison operator> "value"`	Search for records saved to the Cloud Logging database within the specified interval.	`saved_at >= 1622198048`
`level`	`parameter <comparison operator> "value"`	Search for records with the specified logging levels. Possible logging levels: `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`, and `FATAL`.	`level >= WARN`
`stream_name`	`parameter <comparison operator> "value"`	Search for records by custom log streams.	`stream_name = input`
`request_id`	`parameter <comparison operator> "value"`	Search for records by the request ID in `json_playload`.	`request_id <= "145"`

Parameter value requirements

It is not required to enclose a value in quotation marks if:

It starts with a Latin letter and only contains Latin letters, numbers, and underscores.
It is an unsigned integer.

TRUE, FALSE, true, and false are used for Boolean values. Enclose them in quotation marks to find them in the text.

Possible types of timestamp, ingested_at, and saved_at parameter values:

A string in RFC3339 format:
```
saved_at > "2023-05-28T15:20:31Z"
```
Number of seconds after 00:00 1970-01-01:
```
saved_at >= 1622198048
```

Searching for occurrences

To filter records by multiple values of the same parameter, list the values one by one:

parameter: "value1" "value2" "value3"

For case-sensitive search, use the :! operator:

parameter:! "vAlUe1" "vaLuE2"

Search for boolean values and floating-point and fixed-point numbers works as search for substring matching across multiple strings.

Comparison operators

Apart from checking for an exact match, the filter expression language supports the following comparison operators:

Equal to
```
parameter = "value"
```
Not equal to
```
parameter <> "value"
```

Greater than, Less than, Less than or equal to, and Greater than or equal to

parameter > "value"
parameter < "value"
parameter >= "value"
parameter <= "value"

Strings are compared in lexicographic order.

Filters with multiple conditions

You can combine multiple conditions in a single filter using logical operators:

AND: Conditions combined with the logical operator AND must be fulfilled simultaneously.

For example:
```
parameter1: "value1" AND parameter2: "value2"
```
This request returns records with parameter1 set to value1 and parameter2 set to value2.
OR: If you use the logical operator OR, at least one of the conditions must be fulfilled.

For example:
```
parameter1: "value1" OR parameter2 > "value2"
```
This request returns records that have at least one of the conditions met: parameter1 is set to value1 or parameter2 is greater than value2.
NOT: With the logical operator NOT, a condition that is inverse of the specified one must be fulfilled.

For example:
```
NOT parameter1: "value1"
```
This request returns records with parameter1 not equal to value1.

You can create complex filters by combining multiple operators in a single request:

parameter1: "value1" AND parameter2: "value2" OR parameter3: "value3"

Computation order

Search for occurrences, comparison operators, the EXISTS operator
Logical NOT
Logical AND
Logical OR

You can change the order of computations using parentheses:

parameter1: "value1" AND (parameter2 = "value2" OR parameter3 < "value3")

Filter expression language

How to set a filterHow to set a filter

Examples of filtersExamples of filters

Filter parametersFilter parameters

Parameter value requirementsParameter value requirements

Searching for occurrencesSearching for occurrences

Comparison operatorsComparison operators

Filters with multiple conditionsFilters with multiple conditions

Computation orderComputation order

Was the article helpful?